Archive: 2019 Year of Compliance
Receive monthly breakdowns that help you understand a common risk management or compliance program challenge and the steps you can take to resolve similar concerns within your own organization.
Yes, it’s that time of year again. Time to take a pause. To reflect on the year that was, and one to come. Time for blogs to repurpose old articles for “best of” posts.
And we will certainly be doing that here. But before we do, it’s worth sparing a moment to take a broader look at the major risk and compliance events of 2019 and ask ourselves: what just happened? If we relax our eyes and shift our focus from individual headlines to the collective patterns they weave, what do we see? What has changed, and what does it mean?
One of the biggest R&C stories of 2019 is the rise of the whistleblower. Recent events may have thrust the term into the public spotlight (Google saw interest in the topic jump by 96% between September 8th and September 22nd), but the larger, more substantive narrative of whistleblowing in 2019 is the expansion of legal and regulatory protections for whistleblowers worldwide. From the EU’s Whistleblower Directive to Australia’s changes to its Corporations Act to the development of ISO 37002, 2019 was the year that countries across the globe took action to more definitively protect those who speak up regardless of a company’s size, the reporter’s role or whether or not they choose to identify themselves.
Another closely connected 2019 trend is the expansion of consumers’ data privacy rights worldwide. What began in 2018 with the EU’s enactment or GDPR has expanded both within the US and internationally, from Australia’s Consumer Data Right (due in February 2020) to California’s Consumer Privacy Act (CCPA). Existing protections, meanwhile, were applied in new and expansive ways, such as the Canadian Radio-Television and Telecommunications Commission’s first-ever decision to hold a CEO personally liable for violations of the country’s Anti-Spam Law.
Perhaps the single biggest development within the risk and compliance space in the United States was the Department of Justice’s decision to issue an update to its “Evaluation of Corporate Compliance Programs.” While not legally binding nor a best practice guide, the DOJ’s release of this official guidance to prosecutors provided the clearest evidence yet that US regulatory agencies are moving away from “mere compliance” standards when deciding whether and how to prosecute compliance failures.
Finally, we would be remiss not to note the new stories and research published over the past year further reinforcing what most in the compliance industry already knew – that mature compliance programs create better businesses performance. Our first-ever 2019 Definitive Corporate Compliance Benchmark Report found three key drivers associated with positive program performance: maturity, use of technology, and leadership buy-in. According to this newest analysis, advanced programs that utilize purpose-built software and are supported by their senior management were better able to prevent and manage risk comparative to their peers. Researches at George Washington University meanwhile, augmented a groundbreaking 2018 study connecting robust whistleblowing programs to improved organizational performance with new insight and analysis. Comparing an existing dataset to databases of news publications and regulatory fines, new research is uncovering a clear association between increased hotline usage and decreased negative news coverage, as well as fewer and reduced regulatory fines.
Story #1: DOJ Doubles Down on Evaluation of Corporate Compliance Programs Guidance
In April of 2019, the Department of Justice issued a revised version of its Evaluation of Corporate Compliance Programs. If you are in the compliance community, you are most likely aware of the original version of the Evaluation released in early 2017, and the frenzy it set off within the compliance industry. We have always been an industry hungry for the enforcer’s perspective, and this year we got an additional 10 pages of discussion and an official DOJ seal in the letterhead (which the original document did not have).
The updates are more of the same, and that is meant in the best way. When Brian Benczkowski, Assistant Attorney General for the DOJ’s Criminal Division and author of the update, was asked about his thinking and approach during an address at Compliance Week 2019, he described his experiences in private practice when corporate clients came into his office with the list of the original guidance questions attempting to show how they met the DOJ expectations. He kept this in mind as they developed the update.
Desire for More Transparency & Clarity
The key theme in Benczkowski’s address was transparency between the DOJ and the organizations they investigate. “We have sought to provide additional transparency in how we will analyze a company’s compliance program... We hope this updated version provides additional insight to both prosecutors and companies with respect to the evaluation of compliance programs.”
The updated Evaluation has been reorganized to acknowledge that no matter what a company’s particular circumstances might be (and those circumstances will vary enormously), prosecutors will want to answer three fundamental questions:
Is the compliance program well designed?
Is the program being implemented effectively?
Does the program work in practice?
Story #2: Program Maturity Correlates with Three Key Performance Drivers
In NAVEX Global’s inaugural Definitive Corporate Compliance Benchmark Report, risk and compliance related representatives from a wide range of industries and more than 1,000 organizations responded to survey questions about their approaches to building, managing and optimizing effective risk and compliance (R&C) programs.
As the market evolves toward comprehensive platform solutions, we have integrated our findings into one report to highlight key correlations and identify systemic performance drivers.
The Significance of Program Maturity
The report finds program maturity, leadership buy-in, and the use of technology as key performance drivers across successful compliance programs. For instance, approximately half (48%) of all respondents say their senior management view their compliance program as a strategic part of risk management efforts. However, when the data is cut to isolate respondents from Advanced programs, that number rises to 83%. For Reactive programs, the number drops to 13%.
Of this 83% subset of respondents who operate Advanced programs and have senior management who view the program as part of a comprehensive risk management strategy, 97% feel their organization is ethical most, or all, of the time. Analyzing the data one step further, and we see that two-thirds of that group (65%) also use five compliance technology solutions.
That is a lot of data to process in a short paragraph, but the key takeaway is this:
Respondents from Advanced compliance programs have senior management who view their efforts as a strategic part of risk management, implement a larger number of technology solutions to automate their compliance operations, and believe that their organization is ethical all or most of the time.
There is a divide between program performance when it comes to maturity level. And like the DOJ highlights in its updated corporate compliance guidance, having a compliance program is not the goal – having an effective compliance program is.
Story #3: The Rising Tide of Global Whistleblower Regulations
The whistleblowing landscape has changed substantially over the past few years. High profile cases have spurred new whistleblower protection regulations across the globe. This has driven organizations already operating in heightened regulatory environments to re-evaluate the effectiveness of their internal reporting systems. It has also motivated all organizations with a global footprint to consider how these trends may affect their business.
Whistleblower regulations and protections were a featured discussion topic at NAVEX Global’s annual Ethics & Compliance Virtual Conference (ECVC) on Thursday, October 24. The session included a panel of whistleblower experts from around the world invited to discuss the specific changes taking place, why they are happening now, and what the implications are for businesses.
Why Now?
From the political arena to some of the world’s biggest companies, scandals exposed by whistleblowers have driven a succession of news cycles in recent years. But even with the heightened awareness among compliance professionals about the need to identify and address issues internally, many employees still feel the need to report publicly. The question is, why?
The most likely answer is lack of trust. Many employees lack trust in institutions generally and in their organizations in particular. Not knowing whether an internal report will be taken seriously can be discouraging; having to consider if it will result in retaliation can be debilitating. This situation has been further complicated by the U.S. Supreme Court’s ruling that the Dodd-Frank Act’s whistleblower protections only apply to those who report to the SEC, leaving internal whistleblowers exposed.
"As a profession, we have not yet been able to figure out how to identify, manage and prevent retaliation,” Carrie Penman, chief risk and compliance officer at NAVEX Global, said during the panel discussion. “That’s the common theme through all of the various changes, regulations and directives we’re seeing.” And these changes are happening all around the world. Increasingly, there is a demand for policies and processes to be codified within an organization’s standard operating procedures. When there is a lack of trust, consistency and transparency become critical.
So, what can your organization do to prepare for the Risk and Compliance world of 2020? Forward-thinking compliance programs should consider taking the following steps:
Stay informed and up to date. As the stories and trends above note, the regulatory environment within the risk and compliance space evolved rapidly in 2019, and it shows no signs of slowing. Every compliance program should re-evaluate its policies, training plan and internal reporting systems to make certain they meet the most current standards. You should also continuously monitor your third party risk profiles, if you aren’t already.
Move beyond check-the-box compliance. While updating your program to meet current standards is good, it can never fully insulate you from compliance failures. Great programs go beyond “mere” compliance with regulatory obligations and leverage key drivers of performance. Make securing leadership buy-in a top objective in 2020. Automate your compliance program, with purpose-built solutions wherever possible. Update your code of conduct, and make sure everyone in your company – including senior leadership – attest to it.
Get the receipts. In the event of a compliance failure, prosecutors won’t be interested in how many boxes you ticked of your compliance checklist. They will want to know how well designed and implemented you program was, and how you measured its effectiveness. In 2020, develop metrics for success that move beyond simple attestation. Survey your audience’s comprehension of company policies and programs, and then use that data to make refinements to your training, hotline and awareness programs. Finding new ways to measure and improve on your program effectiveness can do more to improve (and protect) your program than any checklist.
Whistleblowing
» White Paper: The New UK Whistleblower Rules
» Use Case: A Whistleblower Hotline for the Global Enterprise
Data Privacy
» Data Sheet: California Consumer Privacy Act (CCPA)
» Training: CCPA Training
» Training: Global Data Privacy
DOJ Compliance
» Document: DOJ Compliance Program Guidance Evaluation Matrix
» Webinar: Decoding the DOJ’s Guidelines: An Insider’s Guide
» Definitive Guide: Definitive Guide to Compliance Program Assessment
Data-Driven Compliance
» Benchmark Report: 2019 Definitive Corporate Compliance Benchmark Report
» White Paper: Hotlines & Headlines: Examining the Relationship Between Hotline Reporting and Corporate Reputation
Uncertainty isn’t just an unpleasant part of risk and compliance; it’s at the heart of our profession. Trying to anticipate and influence the interactions, perceptions and behavior of an organization and its people – commonly referred to as creating a culture of compliance – requires dealing in the intangible. Likewise, risk management necessarily treats with the unknown – the unidentified threat, the unintended outcome. Given this, it’s hardly surprising that R&C professionals crave answers. We want to know how to predict, measure and respond to common compliance issues. Having straightforward answers to questions like “when should an organization consider a whistleblower investigation closed?” can, ideally, offer a course of action that is clear, defensible and fair.
In practice, however, the “right” answer is rarely that simple. Possible compliance actions must be routinely measured against multiple factors including personnel, environment and circumstance. No two situations are exactly alike; every situation – and every answer – is unique.
Consequently, experienced R&C professionals have learned to focus not on answers but on questions. Determining the right questions to ask in a given situation can help an R&C officer develop a solution that effectively addresses the issue at hand. When designing a training plan on a subject such as bribery, for example, a compliance officer should ask questions such as:
What training have employees already received?
How will you determine who should be trained?
What supplemental and/or tailored training should high-risk and supervisory employees receive?
How will you address lessons learned from prior misconduct?
How will you assess comprehension?
What will you do to address employees who fail all or some of the training?
Questions like these are the foundation of the U.S. Department of Justice’s Evaluation of Corporate Compliance Programs. This document, ostensibly for prosecutors in the wake of a compliance failure, can be useful for R&C professionals looking to design an effective program capable of preventing those failures in the first place. The guidance starts with three basic questions:
Is your program well designed?
Is it being implemented effectively?
Does it work in practice?
Of course, the answer to these questions in turn rely on a series of other questions about a compliance program’s risk assessment, policies and procedures, training and communications, reporting and investigative structure, third-party management, mergers and acquisitions, leadership commitment, autonomy and resources, incentives and disciplinary measures, ongoing assessment and remedial efforts. In all, the guidance lists 150 distinct questions about program design, implementation, and assessment. Applying these questions to your organization’s compliance program can help you identify key strengths, target weaknesses, and plan for long-term growth.
Criticality, Clarity & Consequence
Good questions can (and should) also inform policy development. One of the key skills in effective policy design is prioritization. Too many policies can burden your organization; too few can expose it to unnecessary risk. In order to efficiently allocate resources, compliance officers must be able to determine if and when new policies are required. There is no simple rubric or guide for this; each organization has its own unique risk profile. Asking the right questions, however, can lead to the right decision for you. These questions revolve around three main points: criticality, clarity, and consequence.
First, ask yourself: how critical is this policy to your organization? What role will it play in daily operations? How often will employees refer to it? How many employees will be affected? Is it required by state law or regulation? How have recent events affected its urgency? Finally, how likely is a violation to occur absent such a policy? Next, try to determine how clear the new or updated policy is. Ask yourself: how complex is the subject matter? Does the policy effectively communicate your organization’s executive direction? Finally, ask questions that can help you think through the consequences of implementing – or lacking – such a policy. How will the policy impact your corporate culture? Could its absence result in physical or reputational harm? How will it impact operations? And of course, will it effectively resolve existing challenges?
Questioning shouldn’t just be limited to your policies. This process is also effective with employees. Compliance-based questions can inform the hiring process. Asking a prospective employee to describe ethical challenges they’ve faced and how they’ve dealt with them can help you identify candidates who practice ethical behavior, writes Jeff Kaplan, a compliance expert and attorney with Kaplan & Walker LLC. Questions about ethical behavior can also be useful when building customer engagement surveys. Kaplan suggests focusing on “ethical flexibility,” a term which gives respondents permission to talk about ethical transgressions without labeling them as such.
Of course, choosing the right questions is critical in survey design. Benchmark reports like NAVEX Global’s Definitive Corporate Compliance Benchmark rely heavily on questionnaire responses for their data and analysis. Last year’s report elicited responses from nearly 1,000 members of the compliance community, and yielded many informative results. Chief among these was the identification of three primary drivers of compliance program performance: Program maturity, use of technology, and leadership buy-in. The survey found that respondents whose programs scored highly in these areas reported greater effectiveness and efficiency across a series of key measures. They also reported greater satisfaction with their programs, and were more likely to state that employees found value in compliance efforts as well.
Such data-driven reports offer tangible, real-world applications for compliance professionals. With enough responses, such surveys can provide a valuable picture of the industry that compliance officers can use as a point of reference in assessing their own programs. In-depth research provides insight into what practical steps or actions can be taken to improve program performance. Perhaps most importantly, the written analyses and graphical representations of data within these reports give compliance professionals the tools they need to advocate for their program in the boardroom and during budgeting decisions.
This year, the 2020 NAVEX Global benchmark survey is focused on providing insight into the changing state of the risk and compliance industry. Through a series of targeted questions, the survey examines just how robust compliance programs are. Do they include elements like a code of conduct, internal whistleblower channels, and policies to detect and prevent retaliation? Do they conduct risk assessments? If so, how often?
The survey also explores the tools and resources compliance offers are using to manage their risk. Are they utilizing purpose-built technologies, repurposing other software solutions, or still relying on a paper-based management system? What specifically are compliance professionals looking for in a software solution?
The study also explores how businesses are approaching different types of risk. How specifically are organizations dealing with integrated risk management? Do they have a Chief Compliance Officer, a Chief Risk Officer, or both?
Perhaps most importantly, how is an organization’s compliance program viewed by senior management? Does the program have the support of board members and senior management? If so, how is that support communicated and demonstrated? Do compliance officers report to the board, and if so, how often?
While thoughtful question design can lay the groundwork for providing useful data, the ultimate success of any survey – especially a benchmark survey – relies on participation. This is the greatest challenge facing any organization fielding a survey: how can you find enough people with the necessary experience and insight willing to take the time to respond? Email and online surveys typically have a response rate of under 30%. For an in-depth, industry-specific survey like the NAVEX Global Benchmark questionnaire, the completion rate can be as low as 0.2%. Without a sufficient number of responses, benchmark surveys can’t provide the data and analysis compliance programs like yours can use to advocate for stronger mandates and increased budgets.
The first key step, then, for your organization is to take the 2020 NAVEX Global Benchmark Survey. This year, in return for your participation you will receive early and exclusive insights that can give you an in-depth look into the survey results. You will also be sent a copy of the full report upon its release.
In addition to benchmark reports, you can also use the questions provided in the DOJ’s Evaluation of Corporate Compliance Programs to help reduce the risk of a compliance failure. In the event of a failure, having a compliance program that can answer the questions asked within this document in the affirmative may help to reduce the negative impact. You can refer to NAVEX Global’s evaluation matrix to see which software solutions can best address the sections outlined in the DOJ document.
Create a question matrix to help you prioritize you effectively policy development efforts. This list of 20 questions can help you begin to think about what questions you should ask when deciding whether and when to pursue a given policy initiative.
Finally, try to incorporate questions about ethical behavior into your hiring process. Make sure to ask questions that ask about prior experience (“tell me about a time when you…”) rather than hypothetical situations (“what would you do if…”) as these questions tend to elicit the most useful responses. Also try to incorporate similar questions into employee engagement surveys. Make sure to design questions that allow for honest responses by using non-judgmental language and terms like “ethical flexibility.”
» Survey: 2020 NAVEX Global Benchmark Survey
» Report: 2019 Definitive Corporate Compliance Benchmark Report
» Document: DOJ Compliance Program Guidance Evaluation Matrix
» Definitive Guide: Definitive Guide to Policy and Procedure Management
» Webinar: Your Ethics Philosophy Is Not Enough for Regulators
Though quickly growing in sophistication and importance, the compliance profession itself is relatively young. Arising from early congressional action to address foreign corruption in the 1970s and shaped by public outcry over high-profile domestic ethical scandals in the 1980s, the nascent compliance industry was initially cultivated around the self-policing efforts of a few high-profile firms in an attempt (in part) to stave off government regulation. The financial scandals of the early 21st century resulted in a new wave of compliance regulation, transforming the industry into a powerful – but fundamentally reactive – function within American business.
Now, with the industry seemingly on the threshold of yet another epochal change, compliance professionals would be well served to take stock of this moment. How did we get here? What did we get right? And most importantly, when and how did we fail? In looking back, we can better manage the leap ahead, avoiding the mistakes of our past as we make the decisions that will collectively inform the future of compliance.
The modern compliance industry can be traced by to Congress’ passage of the Foreign Corrupt Practices Act of 1975. Like many of the legislative and regulatory reforms of this period, the FCPA had its origins in the Watergate scandal and the resulting call for a “renewal of moral leadership.” At the time, U.S. multinational companies bribed foreign officials to further their interests aboard almost as a matter of course. Bribes paid to win business in some countries were actually tax deductible expenses. The FCPA requirements threw a wrench into these schemes. For the first time, it forced businesses to think about the implications of what was previously considered an unregulated area of operation. According to Anne Eberhardt in her series on How the Foreign Corrupt Practices Act Came to Be, “The FCPA was the very first law of its kind in the history of mankind; no other nation or empire had ever criminalized the payment of bribes in foreign jurisdictions.” This legislation effectively made ethics and compliance a business imperative for risk mitigation.
That imperative was given new urgency when a series of defense industry misconduct and mismanagement scandals made the headlines in the mid-1980s. Stories about the Pentagon paying $7,622 for a coffee brewer and $600 for a toilet seat caused considerable public outcry. To stave off new regulation, GE CEO and 17 other defense contractors created a voluntary organization call the Defense Industry Initiative on Business Ethics and Conduct (DII). The group drafted a set of five principles (since updated) which laid the foundation for the Ethics and Compliance profession as we know it today. Those principles are:
Act honestly in dealing with the government
Promote ethical values through codes of conduct, ethical cultures, and training
Establish ethics and compliance programs, including systems for employees to report wrongdoing
Share best practices
Be accountable to the public
These principles, along with the new Federal Sentencing Guidelines for Organizations (FSGO) issued by the U.S. Sentencing Commission in 1991, helped form the framework of our profession as it exists today.
The compliance profession was born out of moral outrage and aspiration. Its 21st century incarnation, in contrast, was defined by something more immediate: financial crisis. Three events – the fall of Enron, Worldcom and burst of the .com bubble generated a broad sense of economic fragility largely attributed to corporate dishonesty and malfeasance. The result was a rush of regulatory reform spearheaded by the Sarbanes-Oxley Act of 2002. The most immediate impact of this push was the rise of the compliance officer, who was now tasked with ensuring that the (now required) mechanisms designed to prevent corruption, retaliation, harassment and the like were up and running in accordance with the law.
With this rise, however, came a change in character. This regulatory approach to ethics and compliance meant that programs shifted from a strategic, forward-leaning posture to a reactive and transactional approach. Consequently, the compliance industry of the 21st century has largely been shaped by fear; fear of financial damage or reputational damage. Programs so constructed inevitably adopt a check-the-box, CYA approach, one that leads down the path of “vicious compliance” in which employees are more focused on enforcing compliance rather than creating cultures typified by trust and respect.
Recently, this has begun to change. The weaknesses of a reactive approach to ethics and compliance were first laid bare by the Great Recession of 2008 which, despite the increase in regulation, proved to be the biggest economic crisis in nearly 80 years. Initially, this led to a new wave of legislation in the US and abroad, including the Dodd-Frank Wall Street Reform and Consumer Protection Act, the UK Bribery Act, and new guidance on the Foreign Corrupt Practices Act. Eventually, however, a broad public dissatisfaction with the regulatory approach to corporate ethics began to emerge. This rejection “mere compliance” animated groups across the political spectrum, from the Tea Party to the 99%, eventually expanding from issues of finance and economics to broader ethics and compliance issues like corporate responsibility, harassment and discrimination, and retaliation. Present day movements like #MeToo and various advertising boycotts reflect a public desire for corporate standards and practices based not on legal requirements but on ethical principle.
Regulatory agencies and approaches have started to reflect this change as well. In 2017, the U.S. Department of Justice issued an “Evaluation of Corporate Compliance Programs” that advised prosecutors investigating corporate compliance failures to ask questions ascertaining whether a company’s compliance program was not just present but effective. In 2019, this was expanded and formalized as Guidance. This trend is reflected in the more activist and proactive approach to compliance adopted by other legislative and regulatory bodies, from U.S. state legislatures to the European Commission.
So, how can your organization adapt to respond to these changing compliance trends? To keep ahead, take advantage of the following steps:
Reduce fear of retaliation. One of the best ways to move from reactive to proactive compliance is to strengthen your internal whistleblower systems. As recent research shows, Advanced and maturing compliance programs are able to identify and proactively act on reports, resolving issues internally before they metastasize into problems that trigger external review and reputational damage. To do that, you first need to secure leadership buy-in, convincing them of the benefit of and need for more hotline reports (this white paper can help you bolster your argument, as can this one). Next, you need to increase awareness of your internal hotline reporting amongst your employees. Just informing employees of the system’s existence isn’t enough; they also must know how to use it and the specific ways in which they will be protected when and if they do. Above all, demonstrate and promote results. Ensure issues are addressed in a timely way, and tell all employees about actions taken against retaliators. This is especially important with regards to leadership accountability. Ultimately, what happens to the top performers who violate the rules will send the loudest message to all within your organization.
Sell and win. Future-facing compliance programs also have another trait in common: funding. Advanced and maturing programs consciously make securing funding a top priority, dedicating time and resources to “selling” their program to the board of directors and senior management. Make sure to measure, benchmark and document your program so you can more meaningfully communicate your program’s value. Equally important is winning the hearts and minds of your employees to secure engagement in the process. Similar to your hotline awareness efforts, employee engagement campaigns need to do more than let your employees know that program policies and procedures exist; you must make them participants in the process. Solicit and respond to feedback when performing functions like updating your code of conduct. Employees who believe their opinions have an impact are more likely to offer them, and are more likely to invest in the system overall. You should also develop useful, clear and consistent policies that aren’t full of legalese.
Automate & Keep “Vicious Compliance” Tasks in the Back Office. Technology and automation help reduce time spent on manual processes, improve reporting and analytics needed to demonstrate ROI of the program, and allow more time to focus on a culture of ethics and respect, but they should not be the entirety of your compliance efforts. Use compliance and risk management messaging as needed to demonstrate the necessity of various program elements to key stakeholders.
» Webinar: The Evolution of Risk & Compliance
» Distributors, FCPA, and Internal Controls — Lessons for Anti-Bribery & Corruption Programs
» Building a Better Board Report: Essential Strategies for Chief Compliance Officers
» Learn from History or Repeat It: FCPA 2016 in Review
» Top 10 Ethics & Compliance Predictions & Recommendations for 2018
Diversity and inclusion. It’s a phrase we hear a lot these days in the media, private conversations, and of course in the workplace. Modern Diversity and Inclusion (D&I) programs often focus on the identification and elimination of organizational bias. Bias against those belonging to underrepresented groups is pervasive and pernicious; according to a 2019 Harvard Business Review study, fully half of diverse employees surveyed reported experiencing bias daily in the workplace, and “don’t believe their companies have the right mechanisms in place to ensure that major decisions (such as who receives promotions and stretch assignments) are free from bias.” New and proposed legislation, such as the House of Representatives’ HR 3279 and Illinois’ recently passed Public Act 101-0589, seek to address this inequity by diversifying corporate leadership. This is done in part by requiring increased transparency with regard to the gender, race and ethnicity of a company’s board members.
As legislation increasingly focuses on the boardroom, ethics and compliance officers are turning their attention towards making their own diversity and inclusion efforts more effective. There is a growing consensus that D&I programs need to expand beyond their traditional approach to better incorporate individual experiences and expressions of identity. “How we think about identity shapes how we interpret interactions including, or perhaps especially, those in the workplace,” writes Dr. Ilana Redstone, associate professor of sociology at the University of Illinois. Consequently, “perceptions of bias and how we think about identity are often linked.” In order to create a more diverse workplace, professionals are giving renewed attention to that sense of identity, and how individual workers can feel included in the workplace.
Usually diversity and inclusion are treated as a single concept, with most of the attention given to the former. But by narrowly focusing on diversity — and neglecting inclusion — companies too often miss the opportunity to embrace differences. That’s not to say efforts to diversify the workforce are unimportant; in fact, they are vital components of any successful workplace (not to mention a company’s ultimate success).
Though these terms are often used interchangeably, there’s a clear distinction between diversity and inclusion. Diversity is traditionally concerned with group identity — classes defined by common characteristics such as race, ethnicity, age, sex, religion, etc. Efforts to increase the number of these under-represented groups in the workplace are often aimed at the recruitment process. For example, a company might start an incentivization plan that offers higher employee bonuses for referrals of successful candidates from one of these classes. While action plans like these are instrumental in expanding the conversation, they don’t guarantee that those new voices will be heard. In fact, individuals from diverse backgrounds may be conditioned to self-censor their thoughts or opinions.
To gain the full benefits of diversity, organizations need to focus on inclusion. Inclusivity focuses in on the person — their personal feelings, professional development, and overall sense of validation. They teach coworkers to view one another as people, rather than just an assortment of labels. They help us recognize our own hidden biases and how they manifest themselves. Most importantly, workplace programs that balance diversity and inclusion move beyond thinking about what boxes an employee checks, and instead create opportunities for dialogue that can make a meaningful difference in that person’s life and ensure their ideas are heard.
Cultivating a truly inclusive environment isn’t easy to do; it requires challenging old assumptions and learning new skills. But, done effectively, inclusive practices can attract new ideas, audiences and, ultimately, the talent necessary to not only survive but thrive.
1. Listen to Diverse Voices
Employees don’t check their identity at the front door. They have wants, needs and perspectives separate and apart from their role within the company. Successful inclusion efforts recognize and respect that individuality, starting with how managers and leadership listen. When people speak, they don’t want others thinking about where they’re from or what their background is, or have their thoughts filtered through opinions about their age or gender. They want to be heard, and for what they say to be taken on its own merits. But how can you accomplish this in your business?
First, you must recognize your own biases. While it may be challenging to admit, we all have some level of biases that can surface in our conversations with others. These can range from preconceptions about someone’s educational achievements, or religion to opinions about tattoos they have or where they attended school. You may not see it, but they do, and that’s a pretty dangerous thing. While we can never eliminate our own biases, identifying and acknowledging them is an important first step in helping us truly listen.
Acknowledging an idea and engaging in meaningful follow-up is another way to make employees feel heard. This doesn’t necessarily equate to action; not every idea can or should be used, but it should be considered and dealt with on its merits.
2. Use Language of Inclusion
Language is important component of inclusive behavior. Striving to say “people” instead of “employees” demonstrates respect for their individuality, as does eschewing phrases like “my workers” or “my team” (which can imply that they are somehow owned). Of course, these aren’t hard and fast rules; there are many circumstances in which such phrases are wholly appropriate. Most important is cultivating an awareness of, and mindfulness towards, the impact our words can have.
3. Validate Responses
Together, listening to differing views and practicing inclusive language evoke validation. And validation is the foundation of a truly inclusive environment. Above all, inclusive businesses should respect and encourage authentic communication, especially when the message is one they may not want to hear. The reflexive response to a candid answer on an employee survey or a negative review on a recruiting site might be to refute or obscure it. But respecting that person’s experience, and adapting your practices accordingly, will ultimately result in a better and more productive workplace that benefits everyone.
None of us are perfect. But through the conscious application of inclusive techniques and orientations, we can build a workplace that embraces people as individuals whose unique opinions, ideas and experiences can make our organizations stronger and resilient.
“Good ethics and compliance programs focus on mitigating risk; great programs focus on culture.”
It’s a concept that makes perfect sense in the abstract, but often seems impossible to achieve in practice. How can E&C professionals actually influence the way employees feel about their employer, coworkers, or job? Is it practical, or even possible? What can compliance programs really do to effect change?
Quite a bit, actually — but to effect meaningful change, you must first be precise about what you are trying to achieve. Too often, discussions about workplace and employee culture center on high-level concepts such as company “vision” or “values,” measured in terms of employee “appreciation” and “wellbeing.” While such discourse certainly has a purpose and place, it can instill the (false) impression that creating a positive workplace environment is almost a type of alchemy, an ethereal exercise akin to influencing the weather.
This has traditionally led leadership and senior management to adopt one of two broad approaches to cultural development. The first, which we can call the “pay and perks” method, leans into the language of cultivating harmony and reducing stress by focusing on “extras” such as game rooms, free food, onsite massages and even Netflix and magazine subscriptions. These elements are aimed at creating a fun and comfortable atmosphere, and are often touted during recruitment efforts as evidence of a positive workplace environment. Underlying this approach is the assumption that a positive workplace culture is synonymous with a happy and conflict-free environment.
The truth, however, is more complex. While perks like spa services and foosball tables can enhance your culture, they are no substitute for it. “Offering free steaks to dissatisfied employees won’t make them happy,” one expert quipped. “It just gives them something to ruefully chew while they plan their escape.” Moreover, companies are making a serious mistake if they conflate happiness with the kind of engagement you (and your employees) ultimately want. As Harvard Psychology Professor Ron Friedman writes, “happiness also has a surprising dark side. When we’re euphoric, we tend to be less careful, more gullible, and more tolerant of risks.” Friedman goes on to tout the value of “so-called ‘negative’ emotions like anger, embarrassment, and shame,” asserting that “these emotions can foster greater engagement by directing employees’ attention to serious issues and prompting them to make corrections that eventually lead to success…Pressuring employees to suppress negative emotions is a recipe for alienation, not engagement.”
While some companies overemphasize fun, others adopt what they would define as an “organic” or “natural” approach toward cultural development—what we can safely call the “culture by default” method. Advocates of this perspective talk about workplace culture in much the same way that Adam Smith did the “invisible hand” of the market—that is, the inevitable product of ineffable forces best left alone. This view is particularly prominent among companies and leaders that promote their “disruptive” bona fides. These individuals and organizations tend toward improvisational, ad hoc approaches to management that often depend on larger-than-life personalities. This is particularly prevalent within the tech industry, where more than half of all employees describe their workplace culture as toxic.
Sometimes this neglect can even slip into peevish subversion, with companies going so far as to create written “values statements” that intentionally reject or undermine the traits and practices traditionally associated with a positive workplace environment. Perhaps the most famous example of this is Uber, which ultimately fired more than 20 employees and severed ties with its CEO after paying $10 million to settle over 500 claims of discrimination, sexual harassment and creating a hostile work environment.
While some organizations consciously decide upon a passive approach, far more reach that point by accident rather than by design. According to Deloitte, 90% of executive officers believe work culture and engagement is important, but nearly half (44%) describe their performance in this area as “weak.” Quite often this is a result of prioritization; without strong mandates or authority, leadership charged with creating a positive culture often find themselves without the time or resources necessary to effect systemic change. Part of the problem derives from not knowing or clearly articulating the benefits a positive workplace culture and employee engagement can bring. According to one analysis, organizations featuring “cultures by design” demonstrate retention levels 40%, higher than those who manage culture by default. Companies with highly engaged workforces, meanwhile, have an earnings per share that is 147% higher than their peers.
So, what actions can an organization take to create a positive work environment? Compliance experts suggest the following:
1. Review and Update Your Policies
The first answer may be found in Uber’s response to its own workplace culture problem. In February of 2017, Uber hired former Attorney General Eric Holder to lead an investigation into their organizational culture. His 13-page report recommended 47 steps the company should take (all of which were adopted by Uber’s board). Many of Holder’s recommendations could—and should—be adopted by any organization interested in improving its workplace culture, including:
Clarifying requirements for promotion
Changing the pay review process to reduce bias
Establishing protocols to escalate complaints
Including metrics for employee satisfaction in manager performance reviews
Using a software solution to keep track of complaints
At first glance, these points appear to be more about policy and procedure management than creating workplace culture or building employee engagement. But that is because the best way to build a positive work environment is by crafting policies and procedures which make management more structured, disciplined and — importantly — depersonalized. “Effective policy management is, in a way, about depersonalizing a company’s culture,” writes compliance author Matt Kelly. “Not in the sense of making your culture sterile and boring, but rather to build the company around a set of core values that aren’t dependent on, or dictated by, any single person.” These values should be clearly articulated in a code of conduct and then executed through policies and procedures that make them manifest in employees’ lived, everyday experience.
Of course, specific policies deserve special attention. You should take care to bolster your policy against harassment and retaliation, and have a process in place to investigate complaints promptly, fairly and thoroughly. It’s also important to hold employees accountable for violating the rules and to be prepared to terminate if necessary.
2. Train and Coach Your Employees
When it comes to how a company’s values are felt by employees in their daily lives, organizations focus on two specific dimensions: the way things are done (workplace culture) and how people feel about it (employee engagement). Policies and procedures can largely deal with improving the former; employee engagement, on the other hand, can be effectively addressed through training and coaching. Holder dedicated an entire section of his Uber report to the subject of training, recommending it not only for senior leadership but for human resources, interviewers and mid-level managers as well.
Manager training should of course include segments on diversity, inclusion, and unconscious bias, as well as how to recognize issues early and report them appropriately. But it should also give special attention to areas of effective leadership and employee empowerment, such as how to provide constructive feedback and help employees set career goals. Teaching managers how to coach and mentor their team members is foundational to building trust and increasing commitment to organizational success, explains employee engagement expert David MacLeod. “Successful managers are coaching their people – usually at least once a week,” MacLeod says. “Engaged workers feel that their manager treats them, not as a mere ‘human resource,’ but as a human being. That relationship encourages workers to bring more of themselves to work.”
3. Act, Listen and Be Authentic.
There is nothing inherently wrong with things like perks, nor is there anything bad about high-level concepts and discussions about organizational values and goals. Just the opposite; such things are often crucial components of a positive work environment, as is setting the often-touted “tone at the top.” But it is critical that all statements made by managers, executives and senior leadership be accompanied by action. Backing your words with deeds — especially ones that come at a cost — sets your relationship with your workforce. Saying “I appreciate you” but failing to demonstrate it is detrimental to any relationship, including the one between an employer and their employees.
Successful employee engagement and culture-setting relies on listening as well as acting. Good listening can help you better address your employees’ needs, and identify problems before they metastasize. “The thing that organizations that engage their staff do well is that they listen — and allow their people to talk across silos,” says engagement expert Nita Clarke. “If you’ve got a good ‘listening organization’ where your workers trust you, they’ll tell you when something’s about to go wrong. That’s a cheaper way of protecting your organization’s reputation than lawyers or PR companies getting to work after an event.”
Above all, executives, managers and even employees must engage with authenticity. The development of a positive workplace environment ultimately hinges on trust—of one’s leaders, co-workers, and organization. Through the use of smart policy management, well-designed training, demonstrable action, and active listening, companies can successfully shift their focus from mitigating risk to impacting culture.
» White Paper: Our Approach to Cultural Assessments
» Toolkit: The Ultimate Culture Assessment Toolkit
» Case Study: Serco Group Builds a Visionary Culture
» Webinar: Applying Lessons of Behavioral Ethics, Culture & Compliance
» Webinar: Cultures that Inspire Both Ethics and Performance
» eBook: Memos to Managers: On Strengthening Culture & Preventing Workplace Harassment
» Use Case: Build a Culture of Ethics & Respect
» Definitive Guide: The Definitive Guide to Policy and Procedure Management
» Definitive Guide: The Definitive Guide to Ethics & Compliance Training
Data privacy and cyber threats are quickly emerging as some of the most critical ethics and compliance (E&C) issues of 2019. A new study of E&C professionals by NAVEX Global found that over two thirds of respondents ranked data protection and cybersecurity as top concerns within their organization (69% and 68% respectively), more than any other topic and up from 45% just the year before. This widespread and rapidly growing unease is fueled by an increasingly steady diet of news stories featuring unwitting organizations left financially and reputationally wounded in the wake of uncanny cyberattacks.
These modern morality plays are the most lurid examples of an increasingly common fate. According to NAVEX Global’s new report, Privacy by Compliance, 61% of firms reported one or more data incidents in 2018, up from 45% in 2017. A 2017 study from Accenture found these attacks cost an average of $2.4 million, taking an average of 23 to 50 days to resolve, depending on the type of attack. No target is too big; this summer the City of Baltimore was the victim of a ransomware attack costing the city government upwards of $18 million.
Even organizations with cybersecurity systems robust (and lucky) enough to repel a direct breach aren’t safe. Third parties are an overlooked but dangerous vulnerability for many organizations, as their cybersecurity weaknesses can compromise your data. Last month the blood testing firm Quest Diagnostics revealed that one of their vendors, the American Medical Collection Agency, had been breached, compromising 11.9 million of their own user accounts.
This case is just one of the most recent reminders that technology-based cybersecurity solutions alone aren’t enough. The lack of coherent and comprehensive cybersecurity policies and procedures can leave organizations feeling as if they’re playing a game of “whack-a mole,” according to NAVEX Global Chief Compliance Officer Carrie Penman. Ultimately, she says, effective data protection solutions must encompass a variety of departments – including IT, compliance, and human resources – with the CCO playing a lynchpin role.
While businesses fixate on the threats posed by hackers and other cyber criminals, governments are increasingly worried about a separated, if related, concern – data privacy. Data is the new oil, and the general public has shown a growing unease with the realization that they are the product. Over the last few years, democratic bodies of all sizes have adopted a raft of new data privacy laws and regulations intended in part to address this issue. The General Data Protection Regulation (GDPR) in the EU, the California Consumer Privacy Act (CCPA) and Australia’s Consumer Data Right all endow their respective citizens with a bevy of new rights with respect to the collection and use of their personal information, including breach notification, data portability, the right to access and the right to be forgotten.
Companies of all types and sizes face a series of uncharted challenges to ensure these new rights are respected. Many are finding the changes so pervasive they are proving transformative. Ethics and compliance consultant Vera Cherepanova finds GDPR’s directive so broad that “it finds its application in so many diverse areas, many of which I’m sure regulators didn’t intend or foresee.” The task ahead is daunting; according to Cisco, 4 out of every 10 companies don’t currently meet most GDPR requirements. Another survey found that only 55% of respondents plan to be ready for CCPA by its January 1, 2020 enforcement date.
Yet many compliance professionals urge their companies – and their peers – to view the implementation of new data privacy laws as opportunities for much-needed reform. In the past year, “privacy by design” has emerged as a popular and ethical approach to data usage. Instead of focusing on mere compliance, it utilizes company policies, internal communication, and enhanced training to create an attitudinal shift in the organization with respect to data. “This isn’t about policy for policy’s sake,” says Ladbrokes Coral Chief Privacy Officer Andreas Klug. “It’s about embedding regulation at the heart of the business, providing essential protections for our relationship with our customers and positioning a business to succeed in today’s data economy.”
So, how can organizations protect themselves from cyber attacks and put “privacy by design” into practice? Data protection and privacy experts recommend the following:
Stay informed. As Cisco noted in its report, “keeping up with evolving regulations” is listed by industry professions as one of the top challenges companies implementing cybersecurity and data privacy protections face. These fields are quickly evolving, from the frantic pace of technological change to the social and regulatory responses these innovations provoke. “It’s incredibly important to do a lot of reading,” advises NAVEX Global CCO Carrie Penman. “New alerts come out every day; you have to stay on top of what’s being written and what’s happening in other organizations.”
Build a team. Organizations are often tempted to treat cybersecurity and data privacy as information technology issues that requiring technology-driven solution. However, issues like these require a more holistic response. Peter Swabey, policy and research director at ICSA: The Governance Institute, advises that chief compliance officers play a coordination role, overseeing the efforts of multiple departments. “It’s almost impossible for someone working within a large organization to cover all the bases,” says Penman. “The point is this particular area requires very specific expertise.
Train your workforce. Expert hackers don’t typically break through company firewalls through brute force or technological sophistication. Most successful attacks are the result of social engineering. According to the Information Commissioner’s Office, four out of every five data breaches are due to human or process error. This makes employee training to promote awareness of your organization’s cybersecurity and data privacy policies one of the most effective defenses against cyber attacks.
Practice third party risk management. Third parties can often be the weak link in your organization’s cybersecurity and data privacy chain. As RSA Security Vice President Nigel Ng notes, you can still be held accountable for data that was compromised even if you weren’t breached, suffering a hit to your reputation and consumer trust. Still, companies fail to properly account for the cybersecurity and data privacy policies of their vendors. A recent Ponemon institute survey found that just 12% of respondents said their general counsel or compliance department managed third party risks. Meanwhile, 65% of firms say they have experienced one or more cyber attacks as the result of a weak link in their supply chain in the past year. Third Party risk management should play a key role in any cybersecurity or data privacy plan.
» Report: Privacy by Compliance
» Webinar: Cyber Security and Insider Threats: Turning Policies into Practices
» Toolkit: Cyber Security Awareness Kit
» Datasheet: Cyber Security Training Course Overview
» Sample Policy: Acceptable Use Policy (AUP) Sample Template
» Sample Policy: Information Security Policy Sample Template
» Training: Cybersecurity Courses
Emerging compliance risks pose critical challenges for organizations of all sizes. Societal and regulatory changes have created an era in which it is no longer enough to comply with laws; businesses must demonstrate that they can create and sustain ethical workplaces. This has required the ethics and compliance industry to evolve beyond basing success on single data points or isolated program activities. Mature compliance programs integrate programmatic strategies that inform, adapt to, and complement one another.
The most successful compliance programs increase their program maturity by identifying key performance drivers that connect the dots between multiple program components. Integrated compliance strategies raise the tide of effectiveness across the full breadth of the compliance program. When implemented, program drivers operationalize ethical cultures into the daily activities of the organization – big and small.
New research that will be the basis for NAVEX Global’s June 18 Master Class identifies several key performance drivers and program elements that strong, effective ethics and compliance (E&C) programs use to meet the rising demands of an increasingly complex world. These elements – including technological automation, thoughtful training, and attention to board and executive management buy-in – can help compliance professionals build advanced programs capable of addressing a full range of compliance challenges.
These new standards of effectiveness are reinforced by regulatory and enforcement agencies, most recently seen in the DOJ’s updated “Evaluation of Corporate Compliance Programs.” The guidance specifically stipulated three dimensions to evaluate the strength and effectiveness of a compliance program:
Is it well-designed?
Is it being applied effectively?
Does it work in practice?
Simply “checking the box” by deploying a compliance solution is no longer enough; regulators, the public, and stakeholders demand that efforts actually influence behavior and reduce wrongdoing and misconduct. In short, ethical efforts should naturally result in behavior that meets compliance expectations. To do that, compliance programs are relying more on systemic and integrated strategies.
We have always known that ethics and compliance are inextricably linked, but key findings indicate actualized ethical cultures are more closely aligned to advanced compliance program maturity. That means that just having a compliance program does not equate to having a culture of compliance.
This is where we see the distinction between ethics and compliance. When assessing corporate compliance objectives in our annual surveys, we ask respondents which objectives they see as most important. Two consistent answers are “Create a culture of ethics and respect” and “Comply with laws and regulations.” Finding the balance between these two objectives are critical for mature programs, which use the former to achieve that latter.
When compliance with regulations is emphasized without attention to corporate culture, organizations can enter a dangerous downward cycle. They focus on efforts to meet regulatory requirements for their own sake, with no consideration toward cultural enhancements. This creates environments where, when pressures mount, employees and leaders often look for loopholes to simply satisfy the regulatory requirements rather think about what is actually the right thing to do. This ultimately leads to employee cynicism and results in less compliance, not more.
Effective programs do two things well to balance the scale of regulatory alignment and culture building:
Sell: Compliance professionals need to effectively promote the value of compliance to get the necessary funding and resources to address the organization’s unique risks. The audience for “selling” is usually the board of directors and senior management.
Win: Effective programs succeed in changing culture by “winning” the hearts and minds of employees, securing their engagement in the process. Ultimately, the culture has to support compliance policies, laws and regulations in order for them to be realized. The audience is all employees – including executive management – and often other external stakeholders.
Ethical cultures usually evolve at the same pace as other program accomplishments. More specifically, mature programs develop ways to amplify efforts to go beyond “check-the-box” exercises and truly influence employee behavior. Consider the key steps below as your work to develop key drivers of performance for your program.
Automate & Keep “Vicious Compliance” Tasks in the Back Office
Implement technology and automation to help reduce time spent on manual processes, improve the reporting and analytics needed to demonstrate the ROI of the program, and allow more time to focus on a culture of ethics and respect (though they should not be the entirety of your compliance efforts)
Use compliance and risk management messaging as needed to demonstrate the necessity of various program elements to key stakeholders
Work “Ethical Culture” Messaging & Support into All Aspects of Employee-Facing Program Implementation
Ensure that training is role and risk based and clearly communicates the “why” of the expectations
Develop useful, clear and consistent policies that aren’t full of legalese
Devote considerable attention to creating a speak-up culture without fear of retaliation. Ensure issues are addressed in a timely way. Make retaliation prevention and monitoring a priority, and tell all employees about actions taken against retaliators
Review business objectives and compensation plans to ensure that these will not put unacceptable pressure on employees to achieve results
Ensure careful selection of business partners who will not put inappropriate pressure on employees to cross the line
Finally, and most importantly, leadership accountability is what every employee is watching. In the end, what happens to the top performers who violate the rules will send the loudest message of all to the organization
Conflict of interest (COI) programs are at an apparent crossroads. Increasingly, compliance officers are tasked with creating COI policies and procedures to address an ever-widening range of actual and perceived risk. At the same time, new legislation and social movements have placed a premium on employee rights and privacy. These conflicting expectations present compliance professionals with an almost insurmountable charge: how do they reduce the risk exposure of conflicts while increasing flexibility for employee interests?
Fortunately, these competing forces aren’t as incompatible as they seem. In the past few years, consensus has built around a set of principles and practices that empower ethics and compliance (E&C) officers to improve reporting and accountability while protecting employees’ well-being. Through assessing risk, designing flexible programs, automating processes, promoting an ethical workplace and training employees at all levels (ADAPT), compliance professionals can build COI programs that meet these competing needs.
The Traditional View
Identifying and managing conflicts of interest is one of the most crucial actions a compliance officer can undertake. Conflicts of interest, generally defined as situations in which an individual or organization has an opportunity to exploit their professional position for personal gain, can metastasize into corruption if undetected or ignored. Michael Volkov, compliance attorney and CEO of the Volkov Law Group, notes that several times in his consulting experience “what started as a conflict of interest investigation mushroomed into a fraud investigation where several actors, often relatives, were stealing from the company.” He advises making a strong COI policy “a centerpiece of a company’s corporate governance framework.”
Developing such procedures, however, can be complex. Traditionally, companies have adopted “zero-tolerance” COI policies based on legislative acts which themselves resulted from high-profile wrongdoing. The self-dealing and uncontrolled conflicts of interest that contributed to the Great Depression resulted in the Pecora Commission, the 1933 Securities Act and the 1934 Securities Exchange Act. The Sarbanes-Oxley Act of 2002 was a product of the fall of Enron. More recently, the Great Recession of 2008 spawned the Financial Crisis Inquiry Commission and the 2010 Dodd-Frank Act.
The cycle of scandal, outrage, and reform that spawned these laws is mirrored in many zero-tolerance COI programs today. Sporadic investigative purges are followed by periods of complacency that make crisis management a default state of operating. These programs also often conflate the existence of potential conflicts with actual malfeasance. At a recent Open Compliance & Ethics Group Roundtable, compliance experts bemoaned this practice of “conflict-shaming,” noting, “it’s an important myth to dispel that all conflicts are bad – which isn’t true and shouldn’t be tolerated.”
This approach further encourages firms to treat all COI as uniformly toxic, resulting in policies that disproportionately negatively impact low-level employees. In their article “Shifting Perspectives on COI in the Modern Workforce,” compliance attorneys Jeff Kaplan and Rebecca Walker use the example of a workplace relationship to illustrate this issue. A romance between junior employees is unlikely to cause irreparable harm, yet a zero-tolerance policy treats this relationship with the same degree of severity as one between high-ranking executives or a manager and subordinate.
A New Perspective
More recently, a new approach to COI has taken hold. The reasons for this are various. From a legal perspective, the growing adoption of privacy regulation such as the European Union’s General Data Protection Regulation (GDPR) has placed renewed emphasis on privacy rights, including those of employees. Social media has also played a role, enabling movements like #MeToo. Unlike the outcry after the fall of Enron or the 2008 recession, these new media campaigns have an evergreen quality, fueled by the growing number of survivors and their stories. This has helped create what Kaplan and Walker refer to as a state of “hyper-transparency.”
The evolution of the compliance profession has accelerated this change. The number of companies with mature compliance infrastructures has grown significantly over the past decade; according to NAVEX Global’s 2018 Ethics & Compliance Policy & Procedure Management Benchmark Report, more than a third of all businesses surveyed had compliance programs that could be characterized as either advanced or maturing. These programs “are more proactive when it comes to creating and reviewing their policies,” enabling compliance officers to target assessments and design solutions tailored to the companies they serve. Firms with mature compliance programs also focus on creating a “culture of compliance,” harnessing the motivations and preferences of their workforce to increase COI effectiveness.
Technological advancements have likewise played an important role in COI policy innovation. This is especially true with respect to automated disclosure and COI training. Automated policy management solutions allow compliance officers to distribute disclosures to all their employees and enable firms to create easy, unthreatening ways to make disclosures.
Thanks to these changes, proactive companies are now able to create and implement COI programs that improve their company’s protection from risk while respecting the rights of employees and the realities of the modern workplace. These steps of assessing risk, designing tailored policies, automating processes, promoting a culture of compliance, and training your workforce – a process we refer to as ADAPT – can help compliance officers revitalize their COI policies and procedures.
1. Assess your risk. The first, fundamental step for any effective COI program is a thorough risk assessment. When conducting your assessment:
Be proactive. One of the most common mistakes E&C officers make is relying on one-time self-reporting for their COI risk assessment. However, employees frequently fail to report potential conflicts, often because they haven’t been trained to properly identify COI (more on that in a moment). Instead, use self-reports as a starting point for verification. In the words of E&C Managing Counsel Gwendolyn Hassan, “There is no substitute for simply asking employees about their relationships and potential conflicts.”
Target common risk areas like relationships with customers, competitors and suppliers, as well as familial ties. Review outside activities like consulting or public speaking, or any boards that high-level employees might serve on.
Tailor disclosure requests. High-level executives and employees with purchasing authority face a greater range and pervasiveness of risk than your average employee, and your disclosure policies should reflect that reality. Matching your COI disclosure requests to an employees’ actual level of risk respects their privacy while allowing you to focus your time and efforts where they are most needed.
Start early. Begin the disclosure process before you hire, starting with any IP, NDA, or non-compete agreements that might lead to potential conflicts.
2. Design detailed COI programs that reflect your specific needs. Once your initial assessment is complete, you will want to create COI policies and procedures that match your institutional profile. When designing you COI policies:
Be flexible. As Kaplan and Walker note, “Not all conflicts are created equal.” Businesses are increasingly discovering cultural benefits to tolerating a certain level of risk, provided it is disclosed and documented early. Workplace romances may be permissible, provided both parties immediately report it. Similarly, an employee whose family member works for a vendor may be able to alleviate any COI by signing a recusal agreement covering any interactions with that company.
Be responsive. The central measure of a COI program’s effectiveness is its response rate. According to a recent Ethics & Compliance Initiative survey, less than half of workers who witness COI misconduct report it. This, according to Volkov, is largely because employees do not believe their company will act on it. This failure is critical, as COI investigations are a leading way for businesses to uncover theft, corruption and fraud. Robust reporting and tracking can help E&C officials increase their COI program responsivity.
3. Automate your process. In order to meet the needs of a modern COI program, E&C officers must automate their COI procedures. Software solutions can not only increase efficiency and effectiveness, but allow for an incremental, evergreen approach to disclosures and training, encouraging employees to remain informed and engaged. Automation can improve:
Policy. Policy-generating software solutions can help you design custom policies that clearly define what should be disclosed.
Process. Automated voluntary disclosure processes offer employees a non-intimidating way to provide open and honest disclosures.
Training. Customized, interactive training units enable businesses to meaningfully educate their employees to identify and report COI.
Tracking. Digital monitoring systems provide compliance officers the ability to track disclosures, reports, training, and overall communication.
4. Promote a culture of compliance. As Rose Bryant-Smith, channeling Peter Drucker, recently noted, “culture eats compliance for breakfast.” The success of a company’s COI program ultimately rests on its ethical culture. To provide an environment that enables a COI program to thrive, companies should:
Be consistent. “A company has to make a real commitment to enforcing its conflict of interest policy at every level,” writes Volkov. If employees sense they are operating under a stricter set of rules than their superiors, they will be less likely to participate in a COI program. Remember, the mere appearance of a COI can negatively impact an organization, so it is important that C&E programs place a premium on transparency and accountability.
Choose ethical leaders. Admittedly, compliance officers can’t choose who leads their organization. They can, however, choose whom they work for, and any C&E professional would do well to remember that ethical leaders are essential for effective compliance management. This isn’t mere opinion; in his 2012 address before the National Society of Compliance Professionals, Director of the SEC’s Office of Compliance Inspections and Examinations Carlo V. di Florio listed ethical leadership as one of the required factors for an effective compliance program. Organizations, he asserted, should “exclude from any position of leadership any individual who has engaged in conduct inconsistent with an effective compliance and ethics program – in other words, that the fox is not guarding the henhouse.”
5. Train your employees. Perhaps most importantly, an effective COI program must train its workforce to identify, disclose and report potential conflicts and/or violations. According to the latest research, a successful COI training program:
Puts policy into context. Simply informing employees about a company’s COI policy does not constitute proper training. Those who work for you need to know how to put those policies into practice. According di Florio, such training should be “tailored to specific conflicts in the business model” and should clearly communicate how to “identify, escalate and remediate” COI. Interactive training modules allow employees to put their training into context, practicing real-world reporting and disclosure scenarios.
Is periodically and uniformly applied. The current state of COI training is decidedly uneven; according to NAVEX Global’s 2018 Ethics and Compliance Training Benchmark Report, fewer than half of surveyed organizations with compliance programs rated “reactive” or “basic” planned to provide COI training in the coming year. Moreover, while only 6% of senior leaders and 11% of non-managers failed to receive training on conflicts of interest, nearly a quarter of board members never received such training. Still, COI training is on the rise; it remains one of the most popular training topics among businesses of all size, and a majority of companies overall provide yearly training to their employees.
» SAMPLE POLICY: Conflict of Interest & Outside Employment Sample Policy
» USE CASE: Automate Your Conflict of Interest Process
» BENCHMARK REPORT: 2018 Policy & Procedure Management Benchmark Report
» BENCHMARK REPORT: 2018 Training Benchmark Report
» VIDEO: Tips for Resolving Conflicts of Interest
» TRAINING: Conflict of Interest Courses
Good analysis and benchmarking of hotline data helps organizations answer crucial questions about their ethics and compliance program including:
Does our culture support employees who raise concerns?
Are our communications reaching the intended audience and having the desired effect?
Are our investigations thorough and effective?
Do we need more training?
Do we need to review or update our policies?
Do employees know about our reporting channels?
Comparing internal data year-over-year to help answer these questions is important to maintain an effective program that encourages employees and bolsters business success. Getting a broader perspective on how your performance matches up to market and industry norms is critical.
For each benchmark, you’ll want to know:
Why the benchmark is an important metric
Instructions on how to calculate the benchmark
How to use the findings and make recommendations in your organization
To help, each year NAVEX Global takes anonymized data collected through our hotline and incident management systems and creates our annual Hotline Benchmark Report. Because we have the world’s largest and most comprehensive database of reports and outcomes, ethics and compliance professionals can trust our benchmarks to help guide decision-making and better understand how their programs stack up against best practices and trends.
Benchmarking your program annually requires a commitment to measure culture and compliance initiatives on a large scale, improve program effectiveness and resolve gaps that may be undermining your efforts.
This year’s analysis of our data from 2,738 hotline and incident management customers who received ten or more reports during 2018 revealed changes in several key data points that compliance professionals can use to benchmark and assess their program’s performance.
Here is a preview on some of the new findings:
For the first time, we received and analyzed over one million individual reports
While the median of Reports per 100 Employees remained consistent overall, organizations that track all intake methods are managing a record number of reports
Reports of harassment and discrimination increased
Follow-ups to anonymous reporting dropped to a disappointing level
Case closure time improved to a median of 40 days in 2018
Program inquiries dropped to an all-time low
As ethics and compliance programs continue to mature, benchmarking should play an important role in the assessment of a compliance program’s effectiveness and be used to demonstrate return on investment.
As we learned from the George Washington University study, Evidence on the Use and Efficacy of Internal Whistleblower Systems, there is a strong correlation between increased reporting volumes and positive business outcomes – from increased return on assets to decreased levels of litigation. Organizations that view their internal reporting systems as a strategic advantage rather than a requirement will have more opportunity to address issues quickly and before they are reported externally.
Ethics and compliance officers have many opportunities to leverage the data in their hotline and incident management systems to improve their compliance programs – and their organizational culture of integrity and respect. This year’s benchmarks point to several opportunities to increase program effectiveness:
Read the 2019 Ethics & Compliance Hotline Benchmark Report to get a full picture of today’s industry norms, new key findings and best-practice recommendations on how to collect and use your own data.
Get a more complete picture of your risks by documenting all reports in one centralized incident management system.
Aim to get more reporter follow-ups to anonymous reports.
Train and communicate consistent definitions for key reporting topics like retaliation, harassment and discrimination.
Encourage employees to see your hotline as a resource for information, not just a channel for reporting.
Hotline data that is carefully tracked, reviewed, benchmarked and presented with sufficient context often provides the early warning signs needed to detect, prevent and resolve problems.
» BENCHMARK REPORT: 2019 Ethics & Compliance Hotline Benchmarking
» WHITE PAPER: Strength in Numbers: The ROI of Compliance Program Hotline Reporting
» DEFINITIVE GUIDE: Incident Management—Going Beyond a Whistleblower Hotline
» USE CASE: A Whistleblower Hotline for the Global Enterprise
One collection of terms we hear a lot is “tools, processes and people.” All three need to be successfully deployed to make a compliance program run properly while also creating an organizational culture that supports compliance with policy and the law. This is especially true with one of the largest and perennial challenges facing compliance officers: whistleblower reporting, incident management and retaliation risk. With unprecedented regulatory focus on these issues by numerous agencies and risk getting higher with every headline grabbing agency action, these topics need to become a priority of discussion with your board and C-suite.
The Important Tools for Whistleblower and Retaliation Risk
An organization’s whistleblower hotline (or integrity helpline), along with a robust incident management system, are crucial and are often required tools—but these are still only tools. The hotline and other designated reporting avenues are conduits for employees to bring suspected misconduct to the attention of managers who are supposed to identify and prevent rising issues. Companies can (and do) implement elaborate hotline systems that offer anonymity and field complaints in multiple countries and languages. There are even advanced systems that screen for implicated parties before distributing reports to compliance professionals.
Still, in the end, a hotline is just a hotline and all reporting avenues are only as good as the responses from the people who are given the message. If those who are fielding allegations don’t respond correctly, an organization will have a mess on its hands no matter what reporting tool is used. When it comes to hotlines, the “easy” part is setting up a phone number. The hard part is what the organization does with reports once it receives them.
Processes and people are every bit as important as the tools themselves. In media reports of organizational misconduct, almost inevitably two stories ensue: First, employees insist they did try to raise their concerns to managers. (Note: the SEC Office of the Whistleblower has highlighted that 80 percent of the tips received have first been reported internally.) And second, they suffered some form of retaliation for doing so.
Ignored or delayed complaints—or worse, complaints sparking retaliation—are serious concerns for an organization and for the credibility of the compliance team that manages its program. These issues happen regardless of the hotline tool used because they are triggered by failures of policy, process, training and most importantly – culture.
Let’s put some hard data on this point. Our NAVEX Global annual benchmarking reports review a variety of key metrics related to hotline reports, processes and outcomes. Over the last seven years, the time it takes organizations to close a case has risen to risky levels – a median of 44 days in 2017 up from 32 days in 2011. Reasons given for the delays include insufficient resources and complexity of cases in the current regulatory environment. As a compliance officer, I get this, but for the employee who has raised a concern and is waiting for a response, every day can feel like an eternity and an opportunity for retaliation.
There is one other process-related practice that is important to highlight. While the compliance office is not always the team that conducts actual investigations, it is critically important for it to ensure that all issues raised through hotlines are properly investigated and appropriate action is taken in a timely way. Too many organizations use their reporting systems as a clearing house to farm out reports to other organizations for action and then immediately close cases with no visibility into actions, timing or outcomes. If we abdicate responsibility with no follow-up, we put our credibility on the line and increase the potential for bad outcomes.
Furthermore, most employee concerns about misconduct don’t come through the hotline. In most cases, employees bring their issues directly to their managers. When managers turn a deaf ear to those complaints, it is because they either don’t know what to do with a complaint or don’t want to take the necessary steps to address the concern. We as business leaders have an obligation to assist managers with this important responsibility. We need to provide them with training and tools on how to respond, enter and track issues they receive for effective resolution and closure.
Policies and processes deserve the most attention because the stakes are so high when getting that part of a whistleblower program wrong. Failures at this level convey to employees, regulators, investors, customers and the public that your culture is wrong. That, in turn, can lead to steeper regulatory fines, loss of reputation, loss of good employees and even loss of business.
So, what do we do?
Following are 10 steps for organizations to consider related to processes and people to help avoid the pitfalls related to managing a reporting system.
First and foremost, accept that internal reporting is a good thing; that the majority of reporters do so with good intentions; and take all reports seriously.
Treat your employees as reporters, not as whistleblowers.
Establish strong and consistent investigation and discipline processes and policies.
Train investigators on proper techniques and required reporting.
Communicate with reporters regularly throughout investigation processes.
Train on retaliation at all levels of the organization – including the front line.
Test and assess organizational culture and employee beliefs around speaking up and fear of retaliation.
Monitor for retaliation and make retaliation reporting a regular board-level discussion.
Manage or oversee all reports to closure. Don’t abdicate responsibility for reports by forwarding them to another department and closing the report without further review.
Raise issues of resource constraints that are delaying case closure times to the board level if needed.
When was the last time you assessed or trained against your code of conduct? Is it in line with your values and updated to reflect societal changes? There’s a lot at stake. Your code is much more than a single policy. It is the overarching communication tool that summarizes all key policies at a high level.
A code of conduct clearly points out expected behaviors. It demonstrates to employees, as well as external stakeholders, an organization’s commitment to core values. An effective code not only communicates the organization’s mission, but it also serves as an employee resource—a go-to place when questions about behavior or policies arise.
To keep pace with an ever-changing workforce and workplace climate, codes of conduct need to be living documents that are regularly reviewed, revised and updated. Along with aligning to changing regulations, your code needs to resonate with your target audience – your employees.
If a code of conduct doesn’t mention behaviors that concern employees (e.g. harassment, social media, human rights, social responsibility, privacy and bribery), employees will not pay it much attention. And if the related behaviors are unenforceable or unachievable (e.g., “don’t use company assets for any personal matters”), employees will tune out.
Users need to be drawn in to truly comprehend what is arguably the foundation of your compliance and ethics program. If codes are too legalistic and wordy, if some topics are overdone, if a written or online version of the code is dull without graphics or interactivity, readers may glaze over important details. And, if you’re a global company and use US-centric images or language, you are legitimately at fault for not vetting a code with internationally-based colleagues.
If a code is structured or presented in a way that doesn’t properly present both values and risks and uses so many different writing styles that your audience has trouble following along, you’ll lose attention and, worse, interest. If your employees are comfortable with technology and have regular access to the internet, an online, interactive code may be more effective than a 20-page expensive print document.
The best codes are developed by those who know their audiences as well as know that a code is something that needs to be used, not just published.
The codes of leading organizations share common best-practice traits, including:
Alignment with an Organization’s Risk Profile: Leading organizations understand their risk profile and benchmark their code of ethics for employees against industry best practices to ensure relevancy.
Regularly Updated: Leading organizations update their code every two years – or whenever an event such as a change in leadership, geographic footprint, merger or acquisition prompts the need for an update.
Appropriate Tone & Language: Good codes of conduct use tone and language that reflects the organization’s culture. Know your audience. Your code represents your compliance program.
Leverages Links to Other Resources & Policies: The purpose of the code of conduct is to outline the risks and steps stakeholders should take if they have additional questions or need direction. Avoid embedding an entire policy within a code. Best practice codes provide links to additional resources or supporting policies.
Promotes the Organization’s Brand and Values: The code of conduct should clearly outline your organization’s driving principles, a great way to reinforce your values. Use the Code to promote your organization’s brand and reputation.
Serves as an Engaging, User-Friendly Reference Tool with Key Design Elements: Use style elements like colors, callout boxes, branding and video vignettes. Video is essential in breaking up the monotony of text and truly engaging your readers.
Before diving into a code of conduct refresh project, it’s good to revisit the core functions of a code of ethics:
Set the tone for your corporate culture and provide a platform for virtually every other policy you implement.
Communicate expected behavior for employees and point the way to additional resources when situations are complex, difficult or sensitive.
Reduce legal liability by addressing your organization’s key ethics and compliance risks.
Represent your organization’s commitment to integrity to external constituents including business partners and regulators.
With those goals in mind, below are five steps to consider as you’re working toward taking your code of conduct from good to great.
TAILOR TO YOUR PEOPLE
Many organizations’ existing codes of conduct have provisions and perspectives that are worth retaining. Going from a good code of conduct to an excellent code of conduct might be more about tone, design and style—which should reflect your organizational culture and priorities—than overall message or policy.
MAKE IT INTUITIVE. MAKE IT USABLE
Employees who want a quick answer may feel confused and frustrated if they can’t understand what it says—a common problem when a committee of lawyers does most or all of the writing. It’s especially important to clearly describe how employees can ask questions or flag problems, usually through the hotline or helpline. Consider how design impacts readability as well. Short paragraphs are much easier to read than long blocks of copy.
ALIGN WITH YOUR ORGANIZATION’S RISK PROFILE
A best practice for any code of conduct includes making it relevant and complete given a company’s industry and global risk profile. Risk profiles are not static. Collaborate with other departments in your organization to ensure that the code of conduct touches on those issues that are most important.
INCORPORATE EMERGING ISSUES
The world is changing quickly, and codes need to change with it. For example, it might be hard to remember, but just a few years ago, social media risk wasn’t a concern at most companies and likely wasn’t addressed in their codes of conduct. Money laundering used to be something only financial organizations had to worry about. But these issues are now commonly covered in the codes of conduct at many diverse organizations. What are emerging issues that impact your organization? Consider covering them in your code.
ENSURE EMPLOYEES KNOW THEY’RE PROTECTED
Your code of conduct cannot cover everything, so it’s essential that it point employees to additional resources they can turn to for help (calling the ethics hotline, talking to their managers, or members of the HR or E&C teams, etc.). Best practice codes of conduct clearly communicate that employees who report possible misconduct or ask questions will be protected—and underscore the fact that acts of retaliation are acts of misconduct that could result in disciplinary action up to and including dismissal.
Conclusion
Regularly assessing your code of conduct helps you ensure that you’re consistently underscoring your values—and keeping them top-of-mind with employees. Taking a code from good to great can mean a world of difference for all those who rely on it.
» REFERENCE: NAVEX Global’s Code of Conduct
» INTERACTIVE: Definitive Guide to Your Code of Conduct
» WHITE PAPER: Updating Your Code of Conduct: A Step-by-Step Approach
» EBOOK: The Crucial Document Every Organisation Needs
In November of 2018, the U.S. Department of Justice revised principle 9-28.700 – The Value of Cooperation in its Justice Manual – aka the Yates Memo.
When the Yates Memo originally shook the compliance world in the fall of 2015, it became synonymous with unwavering commitment to individual accountability for wrongdoing. Any revisions therefore would strike discussion over whether individual accountability is still a priority for the DOJ. It is.
A review of Deputy Attorney General Rod Rosenstein’s announcement of the revisions at the 35th International Conference of the Foreign Corporate Practices Act, should assuage any concern that the Department is straying away from holding wrongdoers accountable. In no uncertain terms, Rosenstein stated: “Under our revised policy, pursuing individuals responsible for wrongdoing will be a top priority in every corporate investigation.”
Instead of a departure from accountability, the revisions are designed to increase enforcement effectiveness and efficiency surrounding individual accountability. This reevaluates the “all-or-nothing” approach intrinsic to the Yates Memo. Previously, corporations would need to provide all relevant information about every individual involved in a potential wrongdoing. Even Rosenstein remarked, at first “it seemed like a great idea.” However, when it comes to implementation, the realities of “all-or-nothing” result in a lot of “nothing” for companies as well as enforcement agencies.
Instead of identifying every individual involved, the revised policy primarily focuses on identifying individuals substantially involved. The principle reads:
“In order for a company to receive any consideration for cooperation under this section, the company must identify all individuals substantially involved in or responsible for the misconduct at issue, regardless of their position, status or seniority, and provide to the Department all relevant facts relating to that misconduct.”
Nuances of good faith are also interwoven into the policy. Discovery efforts necessary to uncover all information about wrongdoing can usurp disproportionate resources and people hours for both corporations and regulators. It also pushes investigations down rabbit holes to return insignificant information about individuals who ultimately may not face prosecution. These are the inefficiencies the revisions aim to ameliorate. Simply put, the DOJ wants all the information a corporation has available and expects reasonably thorough investigations to uncover the necessary relevant information to prosecute key players. This is the key to credit.
"Department attorneys should vigorously review any information provided by companies and compare it to the results of their own investigation, in order to best ensure that the information provided is indeed complete and does not seek to minimize, exaggerate, or otherwise misrepresent the behavior or role of any individual or group of individuals."
Furthermore, these revisions may alleviate the original internal branding concerns coming from the compliance industry about the Yates Memo. When every individual involved in a scheme needed to be identified, internal compliance and legal departments turned into aggressive internal investigators, often including investigating innocent employees who unknowingly happened to be involved in fraudulent schemes. Not surprisingly, this was not a good look for internal departments already struggling with rebranding themselves as teams focused on protecting their people.
Ultimately, these policy changes do not indicate a shift away from the adamancy of individual accountability in the Yates Memo, but rather aligns the language of the law with the realistic implementation of law enforcement.
Since the 2015 release of the original memo, every compliance officer and general counsel has discussed how it represents a fundamental change in interactions with their peers and internal clients. So, what can professionals continue (or start) doing to ensure compliance with the new revisions?
AVOID EXTERNAL INVESTIGATIONS
The best way to avoid an external investigation is to ensure that employees feel confident enough in their organization’s reporting infrastructure and policies that they feel they can report issues without reprisal—and that management can learn of issues and mitigate problems before they turn into potential illegal or unethical behavior. The fear of retaliation may be even higher if employees are reporting on a senior executive, but those are precisely the kind of managers that the Yates Memo contemplates as possible targets.
ENCOURAGE SPEAKING UP & TRAIN PROPERLY
Companies need to reassure employees and encourage them to come forward using the appropriate channels for reporting. Accordingly, this encouragement should also come from the proper training of internal personnel. Being able to successfully conduct witness interviews and manage reports is essential for building trust with those coming forward with a claim of misconduct. Investigations are now fair game for prosecutors, so having it done impartially and effectively is also critical.
IMPLEMENT POLICIES & PROCEDURES
Apart from ensuring reporting mechanisms are well-publicized and defined in company policies, they need to be perceived as credible by employees, vendors, suppliers, and members of the general public—and audited regularly for effectiveness. There should be a company procedure in place to conduct audits, assessments and employee surveys to get a benchmark for effectiveness. Data privacy and protection should also be written into the policies should an international investigation take place. And, the procedure should confirm that any document retention and destruction policy is updated and regularly audited, publicized and attested to by internal personnel.
QUESTIONS TO ASK
Senior management, counsel, and the board should agree upon certain core principles and be able to answer the following questions:
When should investigations be handled internally or externally and who should retain the counsel? In some cases, the board may want to retain counsel instead of allowing the general counsel to handle the matter.
What will be the policy if a senior manager or executive refuses to answer questions or insists on having counsel present? Who will pay for the counsel?
Does the board need additional training on how Yates could affect their operations and decisions that the board may need to make regarding disclosing sensitive information about high-level personnel or even board members themselves?
How will the procedures put in place affect voluntary disclosures under other legal regimes and who in the organization should have ultimate responsibility for making these decisions.
Given how quickly the compliance world is changing, a new tone from Washington is something leaders of organizations can’t afford to ignore. The above questions are just a sampling of what boards and senior management should be considering, preferably with guidance from outside counsel.
» VIDEO: How to Successfully Investigate a Misconduct Claim | "How To" Series on Compliance Next
» VIDEO: How Do I Conduct an Effective Internal Investigation? | 90-Second Expert Advice on Compliance Next
» DEFINITIVE GUIDE: Code of Conduct: How to Engage Your Workforce with Your Organization’s Values & Goals
» CHECKLIST: Harassment Investigation Checklist
Thank you for subscribing! Please be sure that @navexglobal.com is on your company's safe sender list to ensure our emails reach your inbox!